The present invention relates to the field of information technology, including, more particularly, to systems and techniques for distributed firewalls in cloud computing environments.
A traditional firewall system in enterprise network environments typically utilizes network topology information and is deployed at the peripheral of a TCP/IP network domain to protect applications and computers behind the network. When any software application or computer that is outside of the network domain attempts to communicate with another application or computer that is inside the network domain, the traffic has to pass the firewall. Depending on the security policy programmed on this firewall, the communication traffic may or may not be approved to traverse through.
However, if both applications and computers are behind the network, their communications may not travel through the peripheral of the network. Therefore, their communications will not pass through the firewall due to the network topology and their communications will be allowed. This is a fundamental concept for a peripheral network based firewall deployment in an enterprise environment. This network based firewall is typically implemented with a centralized architecture, where a single firewall is provisioned on the edge of a network to protect a number of computers behind the firewall.
When enterprises start to deploy their applications or virtual servers in a cloud computing environment, private or public, the deployment for a peripheral firewall becomes very challenging because the network is virtualized and the physical topology information is not available to the users of the cloud computing environment due to business model and liability reasons. Brute forced methods to obtain this information and provide it for firewall deployment cannot be effectively utilized by most cloud management systems. For example, in a public cloud, by definition all virtual machines and applications are “exposed” on the Internet.
Enterprise customers typically cannot obtain the network topology information from the cloud service providers since the same topology may be used for deploying computing resources for other customers as well. Further, even if this information is made available to enterprise customers for firewall deployment purpose, the cloud management system may not follow the physical network topology for virtual machine instantiation. The cloud orchestration system will typically control the virtual network topology in a modern design. As a result, the applications and firewall protection may be out of sync, as a conventional firewall typically works in the physical network. A cloud management system deploys virtual machines in a distributed computing environment. Handling a centralized firewall on a per customer basis to address distributed virtual machines can be technically challenging.
Therefore, there is a need for a new peripheral firewall system, provisioned and controlled by enterprise customers, that applies in a virtual domain to protect the applications and virtual machines in a cloud computing environment without using the underlying TCP/IP network topology or the network equipment. This peripheral firewall system needs to work seamlessly with the cloud orchestration system for the automation of the cloud. The security rules for the firewall system need to be statically specified by the customers, and then the firewall rules need to be dynamically computed and enforced, reacting to the dynamic reconfiguring of the computing resources driven by the cloud orchestration system. There is a need to allow enterprises to follow their conventional concept for a “peripheral firewall” and easily protect the applications and virtual machines in the new cloud computing environments, while ensuring that the technology naturally fits into a new and distributed cloud computing environment.